Search the VMware Knowledge Base (KB)
View by Article ID

“Failed to verify the SSL certificate for one or more vCenter Server Systems” error in the vSphere Web Client (2050273)

  • 48 Ratings

Symptoms

  • The VMware vSphere Web Client displays the error:

    • Failed to verify the SSL certificate for one or more vCenter Server Systems: https://vCenterServerFQDN:443/sdk
    • could not connect to one or more vCenter Server Systems:https://vCenterFQDN:443/sdk

  • Objects such as host or virtual machines are not displayed in the vSphere Web Client.

Purpose

To resolve the Failed to verify the SSL certificate for one or more vCenter Server Systems error in the vSphere Web Client, unregister the duplicate vCenter Server service.

Cause

This issue occurs in these situations:
  • During the re-installation of vCenter Server, it is possible to have the same vCenter Server registered more than once to Single Sign-On (SSO).
  • With a previous install of vCenter Server, SSL certificates are not overwritten or removed properly during an upgrade or re-installation.

    Note: If there are previous issues with the certificates, they may not be exposed until the installation and use of the 5.1 Web Client.
Before proceeding with the steps in the Resolution section, ensure that you are not experiencing the issue identified in vSphere Web Client 5.1 reports this SSL warning after an installation or upgrade: Failed to verify the SSL certificate for one or more vCenter Server Systems (2036505).

Resolution

To resolve this issue, identify the scenario you are experiencing:

vSphere 5.x

  • To find a duplicate registered vCenter Server instance:

    1. Log in to the server with vCenter Single Sign-On installed.
    2. Open a Windows Command Prompt as administrator.
    3. Navigate to this directory depending on your vSphere version:

      vCenter Server 5.1 –  %Program Files%\VMware\Infrastructure\SSOServer\ssolscli

      vCenter Server 5.5 – C:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso

    4. Set the JAVA_HOME variable by running this command:

      vCenter Server 5.1 – SET JAVA_HOME=C:\Program Files\VMware\Infrastructure\jre

      Note: Verify the path first. The listed path is default. However, after multiple installs, the path may be changed to C:\Program Files\VMware\Infrastructure\jre1.


      vCenter Server 5.5 – SET JAVA_HOME=C:\Program Files\Common Files\VMware\VMware vCenter Server - Java Components

    5. To create a text file with a list of the services registered with SSO, run this command:

      ssolscli.cmd listServices https://vCenter_Single_Sign-on_FQDN:7444/lookupservice/sdk > c:\sso_services.txt

    6. Open the generated text file to find a list of services registered to vCenter Single Sign-On.

      In the text file, you see output similar to:

      vSphere 5.1


      Service 1
      -----------
      serviceId={93135931-7B87-4B11-B6FC-236A8849B728}:2
      serviceName=vCenterService
      type=urn:vc
      endpoints={[url=https://FQDN:443/sdk,protocol=vmomi]}
      version=5.1
      description=vCenter Server
      ownerId=vCenterServer_2013.10.10_163108@System-Domain
      productId=
      viSite={93135931-7B87-4B11-B6FC-236A8849B728}

      Service 2
      -----------
      serviceId={93135931-7B87-4B11-B6FC-236A8849B728}:1
      serviceName=vCenterService
      type=urn:vc
      endpoints={[url=https://FQDN:443/sdk,protocol=vmomi]}
      version=5.1
      description=vCenter Server
      ownerId=vCenterServer_2013.10.10_163123@System-Domain
      productId=
      viSite={93135931-7B87-4B11-B6FC-236A8849B728}


      vSphere 5.5

      Service 1
      -----------
      serviceId=Site Name:02dde295-422a-403e-b32c-1e40c3f188fd
      serviceName=vCenterService
      type=urn:vc
      endpoints={[url=https://FQDN:443/sdk,protocol=vmomi]}
      version=5.1
      description=vCenter Server
      ownerId=vCenterServer_2013.10.10_163108@System-Domain
      productId=
      viSite=Site Name

      Service 2
      -----------
      serviceId=Site Name:811660f9-f110-4ee7-8f9e-dc0dd1d062fe
      serviceName=vCenterService
      type=urn:vc
      endpoints={[url=https://FQDN:443/sdk,protocol=vmomi]}
      version=5.1
      description=vCenter Server
      ownerId=vCenterServer_2013.10.10_163123@System-Domain
      productId=
      viSite=Site Name


    Note: For a non-linked vCenter Server configuration, ensure there is only one vCenter Server registered with SSO. If a duplicate vCenter Server service is found, unregister the duplicate vCenter Server service by checking the time and date of the ownerId and unregistering the older service.

    You can also identify the current vCenter Server instance by reviewing the vpxd.cfg file located at C:\ProgramData\VMware\VMware VirtualCenter. The current vCenter Server instance ID and name is displayed similar to:

    <lookupService>
    <serviceId>{9300C2AC-4D97-4191-8EB1-387D9823E6E3}:23</serviceId>
    </lookupService>
    <solutionUser>
    <name>vCenterServer_2013.02.28_170324</name>
    </solutionUser>


    To unregister a duplicate vCenter Server service, use the full Service ID found in the sso_services.txt output and unregister the service using the ssolscli unregisterService command.

    1. Create a file called c:\serviceID.txt, which contains only the entire serviceID of the duplicate vCenter Server. For example, to create the file:

      vSphere 5.1:

      {93135931-7B87-4B11-B6FC-236A8849B728}:2

      vSphere 5.5:

      Site Name:02dde295-422a-403e-b32c-1e40c3f188fd

    2. Unregister the service by running this command:

      vSphere 5.1:

      ssolscli unregisterService -d https://vCenter_Single_Sign-On_FQDN:7444/lookupservice/sdk -u admin@system-domain -p SSO_Password -si c:\serviceID.txt


      vSphere 5.5:

      ssolscli unregisterService -d https://vCenter_Single_Sign-On_FQDN:7444/lookupservice/sdk -u administrator@vsphere.local -p SSO_Password -si c:\serviceID.txt

      Note: If the vCenter Single Sign-On service is installed separate from the vCenter Server, use the FQDN of the vCenter Single Sign-On server in the preceding command.

    3. Log in to vCenter Server using the vSphere Web Client and a vCenter Single Sign-On administrative account to verify that the issue is resolved.

  • This can also be caused by certificate issues. To replace the existing certificates, see:

  • If the preceding steps do not resolve the issue, the VMware products may need to be re-installed.

    1. Uninstall vCenter Server and its components in this order:

      1. vSphere Web Client
      2. vCenter Server
      3. vCenter Inventory Service
      4. vCenter Single Sign-On

    2. Remove the RSA database the RSA_USER and RSA_DBA users.
    3. Rename these folders containing SSL information:

      • Rename C:\Program Files\VMware\Infrastructure to InfrastructureOld  
      • Rename C:\ProgramData\VMware\Infrastructure to InfrastructureOld  
      • Rename C:\ProgramData\VMware\VMware VirtualCenter to vCenterOld  
      • Rename C:\ProgramData\VMware\vSphere Web Client to WebClientOld
      • Rename C:\ProgramData\VMware\SSL to SSLOld 

    4. Create a new RSA database and users using the provided scripts. For more information, see the vSphere Installation and Setup Guide.

      Create the RSA_USER and RSA_DBA users using the script named rsaIMSLiteMSSQLSetupUsers.sql, which is included on the vCenter Server 5.1 install media.

    5. Install vCenter Server and its components in this order:

      1. SSO
      2. Inventory Service
      3. vCenter Server
      4. Web Client

    6. Log in to vCenter Server via the Web Client using admin@System-Domain for 5.1 or administrator@vsphere.local for 5.5.

      Verify that the issue is resolved.

vSphere 6.x

  • To find a duplicate registered vCenter Server instance:

    For Windows:

    1. Log in to the server with the Platform Services Controller installed.
    2. Open a Windows Command Prompt as administrator.
    3. To create a text file with a list of the services registered within the Platform Services Controller, run this command:

      "%VMWARE_PYTHON_BIN%" "%VMWARE_CIS_HOME%\VMware Identity Services\lstool\scripts\lstool.py" list --url http://localhost:7080/lookupservice/sdk --type vcenterserver > c:\psc_services.txt

    4. Open the generated text file to find a list of services registered to the Platform Services Controller.

      In the text file, you see output similar to:

      Name: AboutInfo.vpx.name
      Description: AboutInfo.vpx.name
      Service Product: com.vmware.cis
      Service Type: vcenterserver
      Service ID: 608AF497-B198-40D1-9855-545533A488AF
      Site ID: home-office
      Node ID: 86ca3bf1-9201-11e3-8f19-000c29562ae2
      Owner ID: vpxd-86ca3bf1-9201-11e3-8f19-000c29562ae2@vsphere.local
      Version: 6.0
      Endpoints:
      Type: com.vmware.cis.workflow
      Protocol: vmomi
      URL: http://vCenter1.domain.local:8088
      SSL trust: 

      Name: AboutInfo.vpx.name
      Description: AboutInfo.vpx.name
      Service Product: com.vmware.cis
      Service Type: vcenterserver
      Service ID:  6ae3bf1a-9318-4a33-b2cb-d2eaa7a306c5
      Site ID: home-office
      Node ID: 86ca3bf1-9201-11e3-8f19-000c29562ae2
      Owner ID: vpxd-bf048b3a-231e-40b0-96ea-e5792f7fa65b@vsphere.local
      Version: 6.0
      Endpoints:
      Type: com.vmware.cis.workflow
      Protocol: vmomi
      URL: http://vCenter2.domain.local:8088
      SSL trust: 

      Name: vCenterService
      Description: vCenter Server
      Service Product: com.vmware.cis
      Service Type: vcenterserver
      Service ID: default-first-site:01c98f18-770a-41c2-a967-b7a4b574cad2
      Site ID: default-first-site
      Owner ID: vCenterServer_2015.04.20_143355@vsphere.local
      Version: 5.5
      Endpoints:
      Type: com.vmware.vim
      Protocol: vmomi
      URL: https://Legacy_vCenter.domain.local:443/sdk


    5. To unregister the duplicate service endpoint, run this command:

      "%VMWARE_PYTHON_BIN%" "%VMWARE_CIS_HOME%\VMware Identity Services\lstool\scripts\lstool.py" unregister --url http://localhost:7080/lookupservice/sdk --id Service_ID from Step 4 --user "administrator@vsphere.local" --password "administrator_password" --no-check-cert

      Use this as a model:

      "%VMWARE_PYTHON_BIN%" "%VMWARE_CIS_HOME%\VMware Identity Services\lstool\scripts\lstool.py" unregister --url http://localhost:7080/lookupservice/sdk --id 608AF497-B198-40D1-9855-545533A488AF --user "administrator@vsphere.local" --password "VMware123!" --no-check-cert

    For Appliance:

    1. Connect to the Platform Services Controller using SSH.
    2. Run this command to enable access the Bash shell:

      shell.set --enabled true

    3. Type shell and press Enter.
    4. To create a text file with a list of the services registered within the Platform Services Controller, run this command:

      /usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost:7080/lookupservice/sdk --type vcenterserver > /tmp/psc_services.txt

    5. Open the generated text file to find a list of services registered to the Platform Services Controller.

      In the text file, you see output similar to:

      Name: AboutInfo.vpx.name
      Description: AboutInfo.vpx.name
      Service Product: com.vmware.cis
      Service Type: vcenterserver
      Service ID: 1dbc3e9f-626d-4314-8731-ca744a0d9f4b
      Site ID: home
      Node ID: d3eba55a-d4df-11e4-b3f7-000c2987c143
      Owner ID: vpxd-2752b8d1-e68b-49f8-8c92-ce3f042bf487@vsphere.local
      Version: 6.0
      Endpoints:
               Type: com.vmware.cis.workflow
               Protocol: vmomi
               URL: http://vcsa2.domain.local:8088

      Name: AboutInfo.vpx.name
      Description: AboutInfo.vpx.name
      Service Product: com.vmware.cis
      Service Type: vcenterserver
      Service ID: 6ae3bf1a-9318-4a33-b2cb-d2eaa7a306c5
      Site ID: home
      Node ID: 44b05c52-d4d3-11e4-830b-000c29a0e10e
      Owner ID: vpxd-bf048b3a-231e-40b0-96ea-e5792f7fa65b@vsphere.local
      Version: 6.0
      Endpoints:
               Type: com.vmware.cis.workflow
               Protocol: vmomi
               URL: http://vcsa1.domain.local:8088

    6. To unregister the duplicate service endpoint, run this command:

      /usr/lib/vmidentity/tools/scripts/lstool.py unregister --url http://localhost:7080/lookupservice/sdk --id Service_ID from Step 5 --user 'administrator@vsphere.local' --password 'administrator_password' --no-check-cert

      Use this as a model:

      /usr/lib/vmidentity/tools/scripts/lstool.py unregister --url http://localhost:7080/lookupservice/sdk --id 6ae3bf1a-9318-4a33-b2cb-d2eaa7a306c5 --user 'administrator@vsphere.local' --password 'VMware123!' --no-check-cert

Tags

vCenter vcenter.empower.localis registered twice in the PSC, issues with the duplicate vcenter,could not connect to one or more vcenter server systems, Error: could not connect to one or more vcenter server systems, Error:failed to verify the ssl certificate for one or more vcenter server systems, connect to sso fails with cert error

See Also

This Article Replaces

2051847

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 48 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 48 Ratings
Actions
KB: